1. Who we are
"Referral Gem" ("we", "us", "our") is a referral marketing application available on the Shopify App Store. We act as a data processor on behalf of the Shopify merchant who installs our app (the "Merchant"), and we provide the application to that Merchant's end customers ("Customers") under the Merchant's direction.
2. Data we collect
From the Merchant's Shopify store
When a Merchant installs Referral Gem, Shopify grants us access to the data necessary to operate the service. This typically includes:
- Shop information — store name, domain, primary email, currency, plan, country, and installation metadata.
- Customer records — name, email, marketing consent status, and tags, used to mint and attribute referral links.
- Order data — order ID, totals, discount codes applied, line items, refunds, and cancellations, used to attribute referrals and reconcile rewards.
- Discount data — codes we create or read in order to issue rewards.
From end Customers
When a Customer visits a referral share page, signs up to be notified, or completes a referred purchase, we may process:
- Email address and name (if voluntarily provided).
- A pseudonymous device fingerprint, IP address, and user-agent — used strictly for fraud and self-referral prevention.
- Page-view and click events on referral share pages, in aggregate and tied to the relevant referral link.
We do notsell personal data and we do not use it for advertising attribution outside of the Merchant's store.
3. How we use data
- To operate the referral program (mint links, attribute orders, issue rewards).
- To prevent fraud, self-referrals, and abuse.
- To produce reports and analytics for the Merchant.
- To send transactional email related to the program (with the Merchant's sender).
- To provide and improve the service, including diagnostics and support.
- To comply with legal obligations.
4. Sub-processors and integrations
We rely on a small set of well-known sub-processors to deliver the service. Each is bound by appropriate data-protection terms.
- Shopify— host of the Merchant's store; source of customer, order, and discount data.
- Vercel — application hosting and edge delivery.
- Neon / Postgres — managed database storage.
- Klaviyo — optional email delivery for merchants who choose to send via Klaviyo.
- Sentry — application error monitoring.
5. Data retention
We retain Merchant and Customer data for as long as the Merchant has Referral Gem installed, plus a short window thereafter for billing and audit. When a Merchant uninstalls Referral Gem, we mark the shop for deletion and erase associated personal data within 48 hours, except where retention is required by law (for example, tax records).
6. GDPR & CCPA — your rights
If you are an end Customer of a Merchant using Referral Gem, you can exercise your rights (access, rectification, erasure, restriction, portability, objection) by contacting the Merchant directly. We honour Shopify's standard mandatory privacy webhooks: customers/data_request, customers/redact, and shop/redact.
You may also email privacy@referralgem.com and we will route your request to the relevant Merchant or fulfil it directly when we are the controller.
7. International transfers
Personal data may be transferred to and processed in countries other than your own. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.
8. Security
We protect data in transit with TLS, encrypt it at rest in our managed database, scope access to a small number of authorised personnel, and log access for audit. We will notify affected Merchants without undue delay if we become aware of a personal data breach.
9. Children
Referral Gem is not directed to anyone under 16. We do not knowingly collect personal data from children. If you believe we have, please contact us so we can delete it.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the "Effective" date at the top and, for material changes, notify Merchants through the app.
11. Contact
Questions or requests: privacy@referralgem.com.